State Audit Finds More Than Half Of Minnesota's 11,000 Law Enforcement Users Misused Driver Data

from the unfortunately,-nothing-really-shocking-about-these-findings dept

It's been proven before by various government agencies and it still holds true: if you give someone more access than oversight when it comes to collected personal information, you can't be surprised when this tool gets abused.

The review by the state's legislative auditor — highly anticipated by legislators and privacy advocates — said officers need better training in allowed uses of the protected data, and local and state agencies should do more to monitor use. Beyond 88 incidents of misuse documented in state records last year, auditors found even more suspicious activity buried in audit trails.

More than half of the 11,000 law enforcement users of the Driver and Vehicle Services (DVS) website in that time frame queried themselves or people with the same last name, for example, or disproportionately searched for people of one sex.

This study's findings will likely result in some additions to legislation proposed earlier this year, which seeks to add penalties and transparency to data breaches by government employees, requiring local agencies to post full investigation reports online should any breach occur. The legislation itself was written in response to a severe data breach traced back to a single government employee.

The legislation came on the heels of news that a former employee at the Department of Natural Resources had viewed thousands of drivers license records — almost exclusively of women — without a permissible use. That employee, John Hunt, is now facing criminal charges, and his actions have spurred five federal lawsuits against the state.

This employee might have been caught more quickly, but Hunt likely knew the limitations of the DPS auditing system and stayed below the radar, despite making nearly 19,000 queries to the database over the course of five years.

The report also recommended that because audits by the DPS largely detect heavy users, rather than suspicious use, local agencies should conduct more proactive monitoring. They suggested the department beef up its abilities to assist local agencies.

[Public safety commissioner Mona] Dohman said in an interview that the queries were so spread out that he did not emerge in their monthly review of the top 50 users.

In addition to the larger breaches, there were also cases where failure to deactivate accounts resulted in additional misuse of the DVS system.

During the 18 months ending June 30, 2012, 13 users conducted queries using access privileges associated with law enforcement agencies that no longer existed. Over the same time period, three former employees of state law enforcement agencies, as well as four former employees of local law enforcement agencies, accessed the DVS Web site using usernames and passwords that should have been disabled.

The current process for disabling accounts is almost farcical in its slowness. The report points out that the DVS allows accounts to remain dormant for 120 days before inactivating them. While this is a huge improvement over the 500 days it used to allow, it's still plenty of time for anyone looking to query a database they should no longer have access to.

Compounding the existing misuse issues is the fact that law enforcement agencies have exempted themselves from many of the policies affecting authorized civilian users. To begin with, sworn officers are not required to attend training or refresher courses on proper use of the DVS system, including policies regarding general security and appropriate data use. Officers are also exempted from the same user agreement that greets civilians at login and are otherwise not held accountable by any agreement when utilizing the DVS database.

DPS (Dept. of Public Safety) has not implemented other access management practices for all users. For example, DPS does not require a user agreement for sworn officers with access to the DVS Web site. Civilian law enforcement employees must sign a user agreement justifying their need for driver's license information, including their specific needs for access to driver's license photographs. DVS staff review the agreements before granting access. BCA (Bureau of Criminal Apprehension) has a signed intra-agency agreement with DVS. Agencies with employees who access BCA systems sign an agreement taking responsibility for access by their staff, among other things. Thus, it is only sworn officers who use the DVS Web site for whom DPS does not require an agreement, signed by the user or his or her employer, taking responsibility for appropriate access.

The findings of this study will certainly raise questions about this law enforcement double-standard. The proposed legislation and its attendant penalties and openness is, unsurprisingly, being fought by the law enforcement community.

House author Rep. Mary Liz Holberg, R-Lakeville, said she has already met resistance from some law enforcement entities.

"If you have bad actors in your bunch, then why shouldn't the public know about it?" Holberg said. "It seems like nobody wants any sunshine around this issue. And I think it would do a lot to rebuild the public trust if there was more public awareness of misuse and consequences."

It's pretty hard to rebuild public trust when you don't trust the public. Or, at least, don't trust them enough to be honest with them. The law enforcement fraternity has never been one for openness and consistency. As the study notes, misuse of the DVS system is handled differently by every law enforcement agency, if it's even punished at all. The lack of a codified "best practices" or even a basic "user agreement" that holds the individual officer responsible for his actions has led to widespread misuse. Minnesota's legislators are on the right track and this audit offers some very sound suggestions, but the feeling that those who enforce the law should be exempted from these same laws is somewhat endemic in law enforcement, meaning this has the potential to get worse before it gets any better. If they aren't careful, this legislation could reach passage with very few "teeth" intact, if it gets there at all.

Reader Comments

And they want SOPA/PIPA/CISPA/etc as if the Govt would NEVER abuse them... If we wanted more proof that the Govt needs to be kept under control this is it. After all, it's also composed by fallible and corruptible humans..

Nobody thought to charge 5500 Minnesota Law Enforcement database users under CFAA? Imagine how many millions of years the DA could go for across all cases treating each separate access as a separate offence.

Re: I can't imagine

If a law enforcement officer queried themselves its kind of funny in that everyone wants to learn about themselves. (the average citizen should be able to do the same) However. The disproportionately searching about the opposite sex is so scary its hard to express. (and I mean REALLY scary in a way that is inexpressible) Its an indication that law enforcement officials take advantage of private (government official accessible) information for personal abuse.

This is an example of “just because a list is made it will be taken advantage of” kind of thing. Personally, I favor that only violent felony convictions being public record in the sense that violent felons must not be treated in the same way as common citizens (regardless of non violent felony convictions).

One set of rules for the citizen and another for those in positions of authority. What else is new? The fact that the predominantly male force is using the DVS website to access random women's personal info is highly disturbing. The worst thing is that people are unaware of who's being looked into and for what purposes, very much like digital stalking.

ONLY for government agencies? What about Google?

"It's been proven before by various government agencies and it still holds true: if you give someone more access than oversight when it comes to collected personal information, you can't be surprised when this tool gets abused."

First, I noted in sub-head and 1st paragraph that lack of surprise is an almost unavoidable theme here at Techdirt.

Then I noted a 2nd recurring theme: only narrow worries that mostly distract from much larger actualities. While a jab is thrown at Facebook now and then, the possibility that Google with its massive server farms and collating engines with almost no public oversight just MIGHT mis-use that power (including conspiring with gov't) seems off-limits.

And one of the ways that gov't exempts itself from Law is through use of "private" corporations.

Take a loopy tour of Techdirt.com! You always end up at same place!http://techdirt.com/
Techdirt's official motto: This isn't surprising.

Re: ONLY for government agencies? What about Google?

Wow sir, you've got real talent. You're able to take ANY topic and find a way to interject snarky diatribe against Google. Doesn't matter what the article is about. I bet they could write about polar ice caps melting and you'd still find a way.

"It's been proven before by various government agencies and it still holds true: if you give someone more access than oversight (demands) when it comes to collected personal information, you can't be surprised when this tool gets abused."

Out_of_the_blue (anonymous) brings to light our ignorance of how current legislation is created (and the batch of legislators that create such). Current government uses private organizations to do what it cannot do itself which is collate and organize diverse databases using identifiers we don't yet understand as a public (Example: prescriptions from your local pharmacy are sold to an aggregate collector which identifies you (exactly) by your medical record (date of birth, prescription usage, and age.) hereafter you are identified (exactly) forever in their mindset. These are unique identifiers of which drug manufactures and state monitor laws keep tract of. (another great topic would be the new prescription monitoring programs which record every doctor prescribed prescription you take).

Several organizations like Blackwater (now changed names to confuse the attentive voter) collect your personal info by contract from the federal government. The fed is prohibited from such stupidity but private organizations are not. (out_of_the_blue is correct)

Re: Re: ONLY for government agencies? What about Google?

Google server farms use a lot of energy that is mainly obtained via burning fossil fuels that generate greenhouse gases. So yes, Google is responsible for global warming and polar ice caps melting as a result. /ootb

cops training and hand books

1 cops training starts with the premiss , that everyone is a criminal.
2 every hand book states , everyone lie's.
cops believe they are above the law an therefore not subject to the law.
with no over site , power corrupts.
we see it starting in the united states now , we are very close to the Nazi SS state (without antisemitism)
New york is the test bed Nanny state.

Re:

If you work at a bank you can look up the account information of any normal person but if you pull up the account information of either a movie star or a rich person it will raise a red flag. Those who are rich get special privileges that the rest don't.

Re:

“Considering that accessing public documents in an unusual amount in an open network now amounts to Felony charges I see where you are going at but I have to disagree..”

both arrest records and felony convictions (excepting violent) are no indication of a citizens further actions. The whole idea of law is to teach the individual the consequence of taking advantage of others by fraud, theft or whatever.

“If you work at a bank you can look up the account information of any normal person but if you pull up the account information of either a movie star or a rich person it will raise a red flag. Those who are rich get special privileges that the rest don't.”

Really? Is that true? And. Technically, how does that happen in real life?

Most people expound the phrase 'Fame and fortune'. Fame is an expense (argue with me please)(am soooo lucky to avoid such a cost. So far, lol) in that public attention is to be managed, in such a way as, to allow a normal life (cost). While fortune is a profitable thing.

Hard to delineate a way to allow a famous person is to visit a local shopping mall (This has got to be a basic right, I mean really... shopping?) and the public need to ask for an autograph and create a (an embarrassing) scene.

Where dose culture enter the scene? How we act as a people/society/country does mater.

Re:

Medical records are ready for abuse. (it is likely the main way NSF and FBI identifies you as a citizen regardless of your drivers license or passport credentials.) Dental records anybody? A (lot) of states have implemented an abuse of prescriptions legislation that automatically transfer your list of prescriptions to a (what the hell ) law enforcement agency for, whatever, review.

Voice print technology is a very developed technology so much so that if you receive a phone call (regardless of whether you hang up immediately) requesting what radio or TV channel you like (three seconds of recorded background sound is enough to distinguish what you are watching or listening to at the moment) is enough to...